Malicious PDF — malware analysis report

Static analysis result for SHA-256 47066070c95f5d21…

MALICIOUS

PDF

44.7 KB Authoring application: Solid Converter PDF
MD5: 62dc46ee4c8c3140047ace2216ce31c4 SHA-1: 1fb925713cb290b1b99a7ace8441c719f0b39eb2 SHA-256: 47066070c95f5d2153942a62fcd02f87297cca35500fbaf1181ec70160c88b8a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the 'PDF_SEO_LINK_FARM' heuristic. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious classification. No scripts were extracted from this sample, and the document body content is largely obfuscated and unreadable.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://holidayhoarders.com/uploads/1/3/0/3/130323159/8040396.pdf
    • http://mnguidedgoosehunting.com/uploads/1/3/0/4/130489131/zagan-jigudigaxo-nidaribi-sadiw.pdf
    • http://mimedesignstudio.com/uploads/1/3/0/6/130620198/fonaturofow.pdf
    • http://jccartstudios.org/uploads/1/3/0/6/130622033/8699047.pdf
    • http://xives.sakp.tech/uploads/2020/01/28/fawabuxol.pdf
    • http://newzealandlgbtiaward.com/uploads/1/3/0/5/130551248/nuwow_sisuwedagebit_gamiwoxaka.pdf
    • http://jlingnau.net/uploads/1/3/0/4/130435888/titaze_fivigufag_xozixexej.pdf
    • http://daniellesmakeupcreations.com/uploads/1/3/0/4/130476818/fasukuvutisumesogar.pdf
    • http://msfontes.com/uploads/1/3/0/5/130551127/kekogoza.pdf
    • http://nomorejoemoore.com/uploads/1/3/0/7/130740110/jofajatilix.pdf
    • http://michaelshusko.com/uploads/1/3/0/6/130604602/130604602.html#samsung+android+master+code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00006405.bin
a64f4c75c8a77f7312246d639d2e936b06293bcc14d40e4836671d114ada23b0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6405 17424 bytes
font_00_sfnt_off000012c6.bin
47013b39ca34723a0accaac6dd9d4b16a9734b296a2e68b79a0c065225bbd17c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C6 8784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.